Taking Down Botnets: Microsoft and the Rustock Botnet

Just over a year ago, we announced that the Microsoft Digital Crimes Unit (DCU), in cooperation with industry and academic experts, had successfully taken down the botnet Waledac in an operation known as “Operation b49”. Today, I’m happy to announce that based on the knowledge gained in that effort, we have successfully taken down a larger, more notorious and complex botnet known as Rustock. This botnet is estimated to have approximately a million infected computers operating under its control and has been known to be capable of sending billions of spam mails every day, including fake Microsoft lottery scams and offers for fake – and potentially dangerous – prescription drugs.

This operation, known as Operation b107, is the second high-profile takedown in Microsoft’s joint effort between DCU, Microsoft Malware Protection Center and Trustworthy Computing – known as Project MARS (Microsoft Active Response for Security) – to disrupt botnets and begin to undo the damage the botnets have caused by helping victims regain control of their infected computers. Like the Waledac takedown, this action relied on legal and technical measures to sever the connection between the command and control structure of the botnet and the malware-infected computers operating under its control to stop the ongoing harm caused by the Rustock botnet. As you may have read, the Rustock botnet was officially taken offline yesterday, after a months-long investigation by DCU and our partners, successful pleading before the U.S. District Court for the Western District of Washington and a coordinated seizure of command and control servers in multiple hosting locations escorted by the U.S. Marshals Service.

As in the legal and technical measure that enabled us to take down the Waledac botnet, Microsoft filed suit against the anonymous operators of the Rustock botnet, based in part on the abuse of Microsoft trademarks in the bot’s spam. However, Rustock’s infrastructure was much more complicated than Waledac’s, relying on hard-coded Internet Protocol addresses rather than domain names and peer-to peer command and control servers to control the botnet. To be confident that the bot could not be quickly shifted to new infrastructure, we sought and obtained a court order allowing us to work with the U.S. Marshals Service to physically capture evidence onsite and, in some cases, take the affected servers from hosting providers for analysis. Specifically, servers were seized from five hosting providers operating in seven cities in the U.S., including Kansas City, Scranton, Denver, Dallas, Chicago, Seattle, Columbus and, with help from the upstream providers, we successfully severed the IP addresses that controlled the botnet, cutting off communication and disabling it. This case and this operation are ongoing and our investigators are now inspecting the evidence gathered from the seizures to learn what we can about the botnet’s operations.

Bots are versatile, limited only by the imagination of the bot-herder. That’s why Microsoft and our partners are working so aggressively on innovative approaches to quickly take out the entire infrastructure of a botnet, so that it stays inactive as we assist in cleaning the malware off of infected computers. This is how we approached the Waledac takedown and are currently approaching the Rustock takedown. We will continue to invest similar operations in the future as well in our mission to annihilate botnets and make the Internet a safer place for everyone.

However, no single company or group can accomplish this lofty goal alone. It requires collaboration between industry, academic researchers, law enforcement agencies and governments worldwide. In this case, Microsoft worked with Pfizer, the network security provider FireEye and security experts at the University of Washington. All three provided declarations to the court on the dangers posed by the Rustock botnet and its impact on the Internet community. Microsoft also worked with the Dutch High Tech Crime Unit within the Netherlands Police Agency to help dismantle part of the command structure for the botnet operating outside of the United States. Additionally, Microsoft worked with CN-CERT in blocking the registration of domains in China that Rustock could have used for future command and control servers.

We are also now working with Internet service providers and Community Emergency Response Teams (CERTs) around the world to help reach out to help affected computer owners clean the Rustock malware off their computers. Without multi-party public and private collaboration efforts like these, successful takedowns would not be possible. The central lesson we’ve learned from all our efforts to fight botnets has been that cooperation is the key to success.

Botnets are known to be the tool of choice for cybercriminals to conduct a variety of online attacks, using the power of thousands of malware-infected computers around the world to send spam, conduct denial-of-service attacks on websites, spread malware, facilitate click fraud in online advertising and much more. This particular botnet is no exception.

Although its behavior has fluctuated over time, Rustock has been reported to be among the world’s largest spambots, at times capable of sending 30 billion spam e-mails per day. DCU researchers watched a single Rustock-infected computer send 7,500 spam emails in just 45 minutes – a rate of 240,000 spam mails per day. Moreover, much of the spam observed coming from Rustock posed a danger to public health, advertising counterfeit or unapproved knock-off versions of pharmaceuticals.

As mentioned previously, because Rustock propagated a market for these fake drugs, drug-maker Pfizer served as a declarant in this case. Pfizer’s declaration provides evidence that the kind of drugs advertised through this kind of spam can often contain wrong active ingredients, incorrect dosages or worse, due to the unsafe conditions fake pharmaceuticals are often produced in. Fake drugs are often contaminated with substances including pesticides, lead-based highway paint and floor wax, just to name a few examples.

Spam is annoying and it can advertise potentially dangerous or illegal products. It is also significant as a symptom of greater threats to Internet health. Although Rustock’s primary use appears to have been to send spam, it’s important to note that a large botnet can be used for almost any cybercrime a bot-herder can dream up. Botnets are powerful and, with a simple command, can be switched from a spambot to a password thief or DDOS attacker.

Again, DCU’s research shows there may be close to 1 million computers infected with Rustock malware, all under the control of the person or people operating the network like a remote army, usually without the computer’s owner even aware that his computer has been hijacked. Bot-herders infect computers with malware in a number of ways, such as when a computer owner visits a website booby-trapped with malware and clicks on a malicious advertisement or opens an infected e-mail attachment. Bot-herders do this so discretely that owners often never suspect their PC is living a double life.

It’s like a gang setting up a drug den in someone’s home while they’re on vacation and coming back to do so every time the owner leaves the house, without the owner ever knowing anything is happening. Home owners can better protect themselves with good locks on their doors and security systems for their homes. Similarly, computer owners can be better protected from malware if they run up-to-date software – including up-to-date antivirus and antimalware software – on their computers.

Finally, we encourage every computer owner to make sure their machine isn’t doing a criminal’s dirty work. If you believe your computer may be infected by Rustock or other type of malware, we encourage you to visit support.microsoft.com/botnets for free information and resources to clean your computer.

With your help, and the continued public and private cooperation of industry, academia and law enforcement such as Operation b107, we can stop criminals from using botnets to wreak havoc on the Internet.

Bravo. It takes a lot of courage to do what you're doing. You're dealing with some of the world's most disgusting people. I am sure they will fight back and also sure that you, the good guys, will win in the end for the sake of us all. I call on all sane people to support you and suggest that beyond telling us to secure our PCs that you will tell us how else we can support this important activity.

One question though: has Google done anything similar? They like to paint themselves as the good ones and MS as the bad guys, so I'd like to know if there is some evidence in that (Google's) dircetion.

thank you microsoft. i have battling spam email for over a year. i have contacted the better business and federal trade commission, but the spam keeps coming. are these people really to blame or does it happen when we contact business and they sell our email to these nuisances? thank you, thank you!

Wish Google would do the same, Google Mail sucks with tons of viagra, watches, marketing spam, they really have to do something to protect their mail system. Google, spend some of your billions -and give us some security?

I'm no blind Microsoft evangelist, but you deserve enormous credit for the work you do, not just in this example that directly benefits every computer user in the world, but also in your other initiatives in law enforcement such as your partnership with Canadian police on combating child porn.

Google, Apple and RIM depend on email traffic to create value for their services and devices much more than MS, so where are their Crime Units?

Yeay Microsoft, I suppose, but realize that the reason that they were able to infect so many computer is because of the decision at Microsoft to make things easy but insecure. Running on a windows desktop with administrator privleges makes everything work easily, including viruses that infect the operating system. Running unknown programs that are attached to an email, by clicking on it, simply because of it's extension, and giving that to millions of users, is just asking for trouble.